Skip to content
New: see your fit and get a tailored quote in minutes.Try the estimator
Menu
Request a demo Sign in

Security & trust

When the auditor asks you to prove it, you can.

You carry the risk every time you ship: the breach you have to show you prevented, the tenant boundary you can't take on faith, the trail someone could quietly edit. So we describe how each control actually works, not how good it sounds. The same isolation, secret handling, and guardrails protect every tenant, from a guided evaluation to a self-hosted, air-gapped install. Read the code behind each claim below.

Tenant isolation

You don't have to trust app code to keep tenants apart.

One tenant reading another's data is the failure you can least afford to explain. The database itself blocks it, so the boundary holds even when a query forgets to. You get to stop hoping every line of code got it right.

  • Enforced in the database

    One tenant cannot read another tenant's data, because the database itself blocks it. The rule does not depend on app code remembering to filter.

  • Closed by default

    A request with no tenant gets nothing back, not everything. When isolation breaks, it breaks safe. Background jobs follow the same rule.

  • Two layers, not one

    The app still scopes its own queries as a second line of defense. The real guarantee sits underneath it, in the database.

Tenant lanes isolated

tenant_a

  • orders
  • secrets
  • audit

tenant_b

  • orders
  • secrets
  • audit
tenant_a reads tenant_b denied

closed by default

Audit log tamper-evident
  • deploy.approved user:lena #a1f3…
  • scan.passed payments-api #b7c2…
  • policy.evaluated prod-sg #c9e1…
  • ai.pr_opened #42 #d3f8…

each entry chained to the last

Tamper-evident audit

Hand the auditor a trail no one could quietly edit.

Stop scrambling for screenshots the day before the review. Every action is cryptographically chained, so the trail you export proves itself: change a record and the chain stops adding up. You give an auditor something they can verify, not just take your word for.

  • Tamper-evident

    Each entry is cryptographically linked to the one before it. Change or delete a record and the trail no longer adds up, so quiet edits show.

  • Write-once

    Actions add records. Nothing rewrites history. The evidence comes from what the platform actually did, not a reconstruction after the fact.

  • Kept for the long haul

    The trail is archived on a schedule and stays queryable across the long retention windows auditors ask for.

Secrets management

A leaked database can't hand over your credentials.

When you install a connector, the credentials go straight to a dedicated secrets store. Your app database keeps only a reference, never the secret itself. So even if it leaks, there's no plaintext credential for anyone to walk off with.

  • Scoped per tenant

    Each tenant's secrets sit in their own space, so a credential can't leak across tenants.

  • Nothing in the database

    The database holds a pointer, not a value. There is no plaintext credential to steal from it.

  • Off the logs

    Secrets are handed to the store at install, so they stay out of app logs and config files.

Connector credential referenced

app database

secret_ref: bao://tenant_a/github

secrets store

value · scoped to tenant_a

database holds the pointer, not the value

Governance & compliance

Stop tracking the frameworks you answer to in a spreadsheet.

The frameworks you report against don't have to live in a sheet someone forgets to update. Pre-built policy bundles map to them and ship as code, so your rules are versioned and checked on every run instead of audited by hand once a year.

SOC 2 ISO 27001 PCI-DSS HIPAA FedRAMP NIST 800-53 GDPR CCPA FINRA

Policy bundles, not certification

These are policy bundles named for the frameworks they map to. They are not a certification. Formal attestations are on the roadmap. Until they land, we describe only what ships: policy you can run, read, and test.

Identity

A leaver loses access the moment your IdP says so.

  • Automated provisioning

    Your identity provider stays the source of truth for who has access. Joiners and leavers sync automatically, no manual offboarding.

  • Enterprise sign-on

    Single sign-on with SAML is included from the Team plan up, and automated user provisioning (SCIM) comes with Enterprise.

Supply chain

Catch the risky build before it reaches production.

You decide what's allowed to ship, and the pipeline holds the line. IntegraCI adds the security steps to your existing pipeline and gates on the results, so a build that breaks policy stops here. Your runners do the work; you keep the say.

  • Scans, gated

    Your security scans run in the pipeline, and a build that breaks policy is blocked before it goes any further.

  • Catch images early

    Container images and their dependencies get checked in the pipeline, so risky ones are caught before they reach production.

  • Controlled promotion

    Moving a build from one environment to the next is gated on policy, so only checked artifacts go forward.

Need to run your security review?

We respond to vendor security questionnaires and share deeper architecture detail under NDA. Send yours over and we will turn it around. No sales gate.

Email [email protected] Read the docs

Responsible disclosure

Report a vulnerability.

Found a security issue? Tell us. Reports go straight to our security team's queue. Please give us reasonable time to remediate before any public disclosure.